How to change Security Gateway name ?

For some reasons we may need to change the name of a Security Gateway.

I was wondering how to do exactly and what type of outage we could face on each steps.

Lets say that we have 100+ firewalls around the world, members of some VPN Communities (not based on PSK but certificates) ; their names are based on a site code as other local IT devices and because occasionally equipment are moved to another building : we need to change their names.

Changing the IP address is not a problem ; but changing the name, that's another thing.

I see six places in which we must change the name :

SmartConsole (the firewall object itself)

Operating System

hostname (no outage at all, using "set hostname ****" clish command)

host name entry : we must take care of it as Check Point process cannot start if they are not able to understand the corresponding IP of the firewall name ; use "show host names" clish command)

And for three certificates : WebUI portal, IPSec and SIC

For SmartConsole : I don't know how to change it except creating a new firewall object as the previous one.

=> Q : is there an alternative ?

For certificates:

WebUI do not cause a real traffic outage but we have to take care of RemoteAccess users if the Security Gateway is used as VPN EndPoint Gateway ;

For IPSec : the certificate will be created at the creation of the firewall object or can be created again on the "Repository of Certificates Available to the Gateway" but during the time the new certificate is not pushed on other firewalls IPSec tunnels based on certificate are down

As I understand it there is no way to change the gateway name as the SIC certificate is tied to the object (clicking on the object shows you the SIC name). I think you are correct, you will need to recreate the gateway objects and reset SIC. As you mentioned VPN tunnels there is another layer of complexity here: let's say you have 2 gateways, A and B that use certificates for tunnel establishment. You go through and rename A in Dashboard and reset SIC. If you then only install policy to gateway A, the VPN tunnel to B will go down as A is now using a different certificate than B expects. You will need to also install policy to B and any other gateways in that community or else the tunnels will not come up. As they need to renegotiate you may also observe some sort of outage.

If you did this gateway by gateway you would need to install policy to all gateways participating in VPN tunnels each time you reset SIC. I'd probably segment by community. Create the new gateway objects without establishing SIC, add them into relevant rules and communities and remove references to the old names from said communities. Then reset SIC to all of them and install policy to that group. Complexity is increased if you have gateways in multiple communities.